Re: primary_conninfo missing from pg_stat_wal_receiver

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
Cc: Michael Paquier <michael.paquier@gmail.com>, Tatsuo Ishii <ishii@postgresql.org>, vik@2ndquadrant.fr, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>, Masao Fujii <masao.fujii@gmail.com>
Date: 2016-06-21T03:06:15Z
Lists: pgsql-hackers
Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> On 6/20/16 10:29 PM, Tom Lane wrote:
>> What I would want to know is whether this specific change is actually a
>> good idea.  In particular, I'm concerned about the possible security
>> implications of exposing primary_conninfo --- might it not contain a
>> password, for example?

> That would have been my objection.  This was also mentioned in the 
> context of moving recovery.conf settings to postgresql.conf, because 
> then the password would become visible in SHOW commands and the like.

> Alternatively or additionally, implement a way to strip passwords out of 
> conninfo information.  libpq already has information about which 
> connection items are sensitive.

Yeah, I'd been wondering whether we could parse the conninfo string into
individual fields and then drop the password field.  It's hard to see a
reason why this view needs to show passwords, since presumably everything
in it corresponds to successful connections --- if your password is wrong,
you aren't in it.

			regards, tom lane


Commits

  1. Add conninfo to pg_stat_wal_receiver

  2. Only show pg_stat_replication details to superusers